Please note that there is a default DUAProfile with IPA that allows you
to skip the manual configuration of ldapclient, and just do "ldapclient init
ipa-server-fqdn". I
don't understand why the documentation says to do a manual configuration of
ldapclient. The
example provided also does a lot of unnecessary attribute mapping.

The documentation includes a manual configuration so one can do it if
desired.

The documentation includes only the manual configuration. Using a DUAProfile is
easier both for
installing, and maintaining the Solaris clients as they will re-read
configuration from the DUA
profile periodically. Manual configuration should be avoided if possible.
Do you want me to open a DOC BUG to have this changed?

AND include a more functional DUAProfile by default configuring the clients for
ethers and
automount support as well.
Do you want me to open a ticket for this? the profile I send in the previous
email can be used as
a template.

However I cannot log on to the console. Enabling debugging on pam tells me:
Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
integrity check failed
There was an issue on Solaris 10 with incorrect configuration to allow
aes256 support, only aes128 and downwars we're enabled by default. This does
not seem to be the
case for Solaris 11.
Does anyone else get the same decrypt failed issue?

I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.

Yes, Solaris 10 works just fine for console login, both x86 and sparc. This
seem to be an issue in
Solaris 11. It could be a configuration error, I just haven't had time to look
into it yet. We do
not use Solaris 11 in production as per today.

Do you see anything special on the KDC side when you get that error in
the console ?
Do you play with enctypes when you obtain the system keytab ?

I did not look at the KDC logs. And yes, I did try to limit the enc
types to 3des and below, it still did not work.